Microsoft is moving to encrypt its Internet traffic based on assumptions the National Security Agency has broken into its internal global communications systems as it did with Google and Yahoo, according to sources familiar with the plans.

Microsoft’s suspicions that the NSA is intercepting traffic
within its private networks were heightened in October, when it
was reported such intrusions have happened to Google and Yahoo,
which have similar global infrastructures. Sources close to
Microsoft’s deliberations told The Washington Post top executives
at the company are to meet this week to decide what encryption
initiatives will take place.

The Post reports two previously unreleased slides obtained via
former NSA contractor Edward Snowden suggest the company is
rightly concerned.

The slides on the operations on Google and Yahoo networks also
reference Microsoft’s Hotmail and Windows Live Messenger. Another
NSA email mentions Microsoft Passport, a web service no longer
offered by Microsoft, as another potential target of the
surveillance program called MUSCULAR.

Microsoft officials said they don’t have independent verification
such surveillance of their internal data centers is occurring,
though the company’s general counsel Brad Smith said Tuesday that
such revelations would be “very disturbing” and a
violation of constitutional rights.

Encryption efforts of such a scale would put Microsoft in the
same league as Google, Yahoo, Facebook and other tech giants that have reinforced security defenses
amid the cascade of secret NSA programs coming to light - some
the companies have legally participated in with the NSA.

Experts tell The Post such investments in encryption will hamper
surveillance - by governments, private companies and hackers
alike - for years. These technology efforts may even supersede
congressional policy efforts, currently underway, as the most
tangible outcome of steady revelations of NSA surveillance since
early June, when the Guardian and The Washington Post ran the
first stories supplied with classified documents given to them by
Snowden.

“That’s a pretty big change in the way these companies have
operated,” said Matthew Green, a Johns Hopkins University
cryptography expert. “And it’s a big engineering effort.”

The NSA said Tuesday in a statement about Microsoft that the
agency’s “focus is on targeting the communications of valid
foreign intelligence targets, not on collecting and exploiting a
class of communications or services that would sweep up
communications that are not of bona fide foreign intelligence
interest to the US government.”

One anonymous US official said Tuesday that collection can be
done at various points and does not have to happen on a company’s
private fiber-optic links.

A 2009 email from an NSA senior manager of NSA’s MUSCULAR program
specifies that a targeting tool known as “MONKEY PUZZLE”
can search only across a listed “realm,” including Google,
Yahoo and Microsoft’s Passport service. What service the fourth
realm, “emailAddr,” represents is not clear. “NSA
could send us whatever realms they like right now, but the
targeting just won’t go anywhere unless it’s of one of the above
4 realms,” the email said.

The MUSCULAR program involves a process in which the NSA and
Britain’s GCHQ intercept communications overseas, where lax
restrictions and oversight allow the agencies access to
intelligence with ease.

“NSA documents about the effort refer directly to ‘full take,’
‘bulk access’ and ‘high volume’ operations on Yahoo and Google
networks,” The Post reported. “Such large-scale collection
of internet content would be illegal in the United States, but
the operations take place overseas, where the NSA is allowed to
presume that anyone using a foreign data link is a
foreigner.”

To do as much, the NSA and GCHQ rely on capturing information
being sent between company data centers around the globe,
intercepting those bits and bytes in transit by tapping in as
information is moved from the “Public Internet” to the
private “clouds” operated by the likes of Google and
Yahoo. Those cloud systems involve the linking of international
data centers, each processing and containing huge troves of user
information for potentially millions of customers.

Intelligence officers who can sneak through the cracks when
information is decrypted — or never encrypted in the first place
— can then see the information sent in real time as take “a
retrospective look at target activity,” according to
documents seen by The Post.

“Because digital communications and cloud storage do not
usually adhere to national boundaries, MUSCULAR and a previously
disclosed NSA operation to collect Internet address books have
amassed content and metadata on a previously unknown scale from
US citizens and residents,” The Post reported.

Microsoft general counsel Brad Smith hinted at the company’s
encryption efforts at a shareholders meeting recently. “We’re
focused on engineering improvements that will further strengthen
security,” he said, “including strengthening security
against snooping by governments.”

While company officials do not have definitive proof of the data
interception, the company has held high-level meetings to discuss
the possibility that encryption efforts “across the full range
of consumer and business services.” Big decisions will be
made this week at company headquarters in Redmond, WA, anonymous
sources familiar with Microsoft’s planning told The Post.

Of NSA documents mentioning Microsoft services, Smith said in a
statement: “These allegations are very disturbing. If they are
true these actions amount to hacking and seizure of private data
and in our view are a breach of the protection guaranteed by the
Fourth Amendment to the Constitution.”

Upon news of MUSCULAR’s intrusions, Google’s general counsel
David Drummond said he was “outraged.” The company
announced new encryption efforts at data centers worldwide in
September.

Yahoo announced its own encryption initiatives last week.

These major tech companies have called on limits to NSA’s
surveillance powers, especially those used without oversight from
the Foreign Intelligence Surveillance Act court.

NSA documents from Snowden do not outline how the NSA would
access Microsoft’s data, though it is possible some or all of it
happens on the public internet and not via private links to data
centers. Some MUSCULAR documents do, though, discuss targeting
Microsoft online services. Microsoft’s Hotmail has been one of
several email services shown to have been targeted by NSA
surveillance.

Privacy advocates meanwhile have criticized Microsoft in the past
for being slow to adopt encryption technology.

“Microsoft is not yet in a situation where we really call them
praiseworthy,” said Peter Eckersley, director of technology
projects at the Electronic Frontier Foundation. “Microsoft has
no excuse for not being a leader in encryption and security
systems, and yet we often see them lagging behind the
industry.”

Documents released by Snowden have indicated Microsoft has
worked with US officials in the past to
circumvent some encryption on the company’s services.